SURFnet has been active in the DNSSEC arena for quite some time now. Last year we deployed DNSSEC on our DNS resolvers and we have since learned a great deal about the operational aspects of DNSSEC. We regularly share this information with our constituency and our international peers at conferences and meetings. Since the beginning of this year we have also started work on a DNSSEC deployment for our authoritative DNSSEC infrastructure. This means that we have to integrate a DNSSEC signer, manage keys, etc. Our goal is to integrate this in our managed DNS environment – SURFdomeinen – in such a way that enabling DNSSEC becomes a simple “tick-the-checkbox” action for our users.

The idea to set up this blog came up during one of the project team meetings. We constantly learn new things while working on our DNSSEC deployment and are quite willing to share this information with the wider Internet community. Also, we hope this will result in a concise reference for rolling out DNSSEC as a service, something that may benefit the Internet community as a whole.

The focus of this blog will be to share some of the design considerations and discussions we had while working on our DNSSEC signer integration.

We would greatly appreciate feedback and/or contributions, so please feel free to submit comments or questions!